Chapter One – General Provisions |
| Article 1 | These Reference Directions for Information Operation Resilience are established in accordance with the Financial Information Security Action Plan, established by the Financial Supervisory Commission, to strengthen the information operation resilience of securities firms, futures commission merchants, investment trust and investment consulting enterprises, ensure organizations can effectively implement response measures and reduce damage to a tolerable extent in the event core systems are interrupted.
|
Info |
| Article 2 | The organizations governed by these Directions include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises. These organizations are grouped in two categories, as described below:
- Category 1:
- Organizations that appoint the Chief Information Security Officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Providers in Securities and Futures Markets.
- Tier 1, 2 and 3 securities firms as listed in the Establishment of Inspection Mechanism for Securities Firm’s Information and Communication Security – Required Actions for Tiered Protection Schedule.
- Tier 1, 2 and 3 futures commission merchants as listed in the Establishment of Inspection Mechanism for Futures Commission Merchant’s Information and Communication Security – Required Actions for Tiered Protection Schedule.
- Category 2:
Organizations not in Category 1.
- For Taiwanese subsidiaries or branches of a foreign business group whose information security, business continuity, or operation resilience management policies are controlled and established by its foreign parent company or head office, if their parent company or head office has established or created relevant control measures with better regulations, these regulations shall govern. If otherwise, local laws and regulations shall govern.
- Unless otherwise specified below, the following reference directions cover the compliance matters applicable to the organizations in both Categories 1 and 2.
|
Info |
| Article 3 |
- Business continuity: Ability to handle and respond with flexibility when information operation is damaged, experiences irregularities or services are interrupted.
- Core business: Refers to necessary business that directly provides trading services to clients or supports continuous operation of trading business.
- Core system: Refers to necessary system that directly enables client trading or supports continuous operation of trading business. All other systems are non-core systems.
- Business impact analysis (BIA): Analysis method that identifies impacts on the organization as the period of interruption of core business lengthens.
- Maximum tolerable period of interruption (MPTD): The maximum tolerable period of interruption upon occurrence of interruption to the core business, with laws and regulations, revenue losses and interested party’s demand being taken into consideration.
- Recovery Time Objective (RTO):
- RTO for core business: After occurrence of a disruptive incident, the target time from occurrence of the disruptive incident to core business to recovery to the minimum tolerable service level, to be determined based on the results of BIA.
- RTO for core system: After occurrence of a disruptive incident, the target time from occurrence of the disruptive incident to core system to recovery to the minimum tolerable service level.
- RTO for core system shall be shorter than or equal to RTO for core business.
- Recovery Point Objective (RPO):
- RPO for core business: The value representing the tolerable amount of data loss pertaining to core business upon occurrence of a disruptive incident to be determined based on the nature of core business, which should be decided based on the results of BIA.
- RPO for core system: The value representing the tolerable amount of data loss pertaining to core system upon occurrence of a disruptive incident to be determined based on the nature of core business.
- RPO for core system shall be less than or equal to RPO for core business.
- Minimum tolerable service level: The minimum operation level scheduled and expected to be returned to within the recovery time objective (RTO) specific to the applicable core business based on the recovery objective of core business.
- Disaster response mechanism: Response, disaster risk reduction or recovery measures applicable to relevant operation procedure of an individual system upon occurrence of irregularity or interruption of core system caused by disaster.
|
Info |